PCI compliance port 443
My last PCI scan reported "SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability".
Here's the full text:
Synopsis
It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.
Description
A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system.
TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
This script tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite, and then solicits return data.
If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable.
OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized.
Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendExtraRecord.
Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while others may not, depending on whether or not a countermeasure has been enabled.
Note that this script detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server. It does not detect the BEAST attack where it exploits the vulnerability at HTTPS client-side (i.e., Internet browser). The detection at server-side does not necessarily mean your server is vulnerable to the BEAST attack because the attack exploits the vulnerability at client-side, and both SSL/TLS clients and servers can independently employ the split record countermeasure.
See also
http://blogs.msdn.com/b/kaushal/archive/2012/01/21/fixing-the-beast.aspx]Fixing the BEAST - Unleashed - Site Home - MSDN Blogs
Solution
Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.
Note that additional configuration may be required after the installation of the MS12-006 security update in order to enable the split-record countermeasure. See Microsoft KB2643584 for details.
Risk factor
Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true
Plugin output
Negotiated cipher suite: AES256-SHA|TLSv1|Kx=RSA|Au=RSA|Enc=AES-CBC(256)|Mac=SHA1
CVE
CVE-2011-3389
BID
49778
Other reference
IAVB:2012-B-0006, MSFT:MS12-006, OSVDB:74829
I checked my settings in Home " Service Configuration " Apache Configuration " Global Configuration SSL Cipher Suite is set cPanel's PCI recommended
SSL/TLS Cipher Suite is set to
I found this old thread where the solution was listed as changing SSL Cipher Suite to
Is this still considered a valid and best solution? Are there any other settings I need to look at as well? I also followed the Troubleshooting PCI Compliance guide here and found there was only one one global SSLCipherSuite entry, so I don't thinks that is the issue. Any help would be greatly appreciated. Thanks, James
I checked my settings in Home " Service Configuration " Apache Configuration " Global Configuration SSL Cipher Suite is set cPanel's PCI recommended
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDHSSL/TLS Cipher Suite is set to
All -SSLv2 -SSLv3I found this old thread where the solution was listed as changing SSL Cipher Suite to
RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCMIs this still considered a valid and best solution? Are there any other settings I need to look at as well? I also followed the Troubleshooting PCI Compliance guide here and found there was only one one global SSLCipherSuite entry, so I don't thinks that is the issue. Any help would be greatly appreciated. Thanks, James
-
Hello :) Please let us know if the following thread is helpful: SSLv3 Vulnerability Thank you. 0 -
Also, let it be known that there is currently a security issue with SSLv3. Here's a link to read more about it... Click Here (googleonlinesecurity.blogspot.co.uk) 0 -
We are running into this issue as well. Everything is clear but BEAST in our PCI scan. JamesAB did that ultimately do the trick or did you have to use a different method? 0 -
Those cipher changes are not making a difference unfortunately as we are still triggering it. 0
Please sign in to leave a comment.
Comments
5 comments